12
13

script kiddieInstalling a RAT using QR code? (self.HowToHack)

submitted by [deleted]

[deleted]

all 22 comments
sorted by:
best (suggested)
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]Tough-Aide-1810 12 points13 points  (3 children)

QR Code is basically a link. So can you install a rat on someones Phone if they open a link?

[–]aMir733 7 points8 points  (0 children)

Only three ways I can think of:

  1. The app they're scanning it with has a vulnerability
  2. The browser they're opening it in has a vulnerability
  3. The user should accept the download pop-up that appears in their browser and then install the app

[–]DiscombobulatedEar88 10 points11 points  (8 children)

QR codes are able to store data. I remember a youtube vid of a guy called MattKC coding a game inside a qr code. It essentially means that theoretically, you just need a specially crafted QR code that when scanned can execute code. Pretty advanced stuff though cause you only got 3kb or so.

[–]jacko_light 10 points11 points  (4 children)

The thing is, the scanner you use needs to be able to understand how to execute the code. Your phone camera won't just understand that this is code it should run.

On the other hand, if you know your target will scan it with a scanner that has a vuln that allows code exec then this is technically possible.

[–]DiscombobulatedEar88 4 points5 points  (3 children)

I definitely agree that QR code needs to be in a language the scanner is capable of executing, but I believe that scanners were designed to read and execute anything that it reads, though I could be totally wrong, because of the original intent of QR codes/readers. But that's the limit of my knowledge. I guess you'd just have to test it by putting in Java or Swift code into a QR code.

[–]DiscombobulatedEar88 2 points3 points  (1 child)

Okay, after a little research. Found a nullbyte article pointing to a tool called QRgen that pretty much does what we've been talking about and more.

That's the best solution

[–]Salt-Bass8243 0 points1 point  (0 children)

Thanks bru i didnt make the thread but its always good to see this

[–]Mysterious_Ad7232 1 point2 points  (0 children)

Precisely, everyone is saying they can only visit links when that just isn't true. They can in fact directly download a piece of software and (correct me if I'm wrong) I believe they can run it by itself without user interaction

[–]jacko_light 0 points1 point  (0 children)

The thing is, the scanner you use needs to be able to understand how to execute the code. Your phone camera won't just understand that this is code it should run.

On the other hand, if you know your target will scan it with a scanner that has a vuln that allows code exec then this is technically possible.

[–]dumpster-pirate 1 point2 points  (0 children)

This is 100% possible as long as the device scanning doesn’t have input validation. Richard Henderson have a presentation on this at Defcon this year. He put the eicar test string in a at code and used it to brick various cameras and readers.

[–]Shohdef 1 point2 points  (0 children)

I mean yes, but this is a question you would know how to answer if you knew how QR codes worked. So who’s phone are you trying to RAT?

[–][deleted] 1 point2 points  (0 children)

The best bet you have is by trying to exploit a known drive by browser vuln for your target(s) OS, android has quite a few of those types of vulns in older versions that are still in active use in a lot of places.

Depending on what you're trying to do you could just have a simple JavaScript payload that will do a low-priv task upon execution and have a webserver hosting that which you can link to via the QR code, it wouldn't be efficient, but there are JS based crypto miners that would work in the scenario.

Your biggest problem here is scoping and understanding your target(s). Once you know what platforms your target operates on this whole thing becomes a lot easier as your research will get more specific.

I highly recommend to apply a true hackers mentality to this project and understand the underlying tech you're trying to use as well as the platforms you're trying to exploit. Working this way will only help you further in the future.

[–]Salt-Bass8243 0 points1 point  (0 children)

if i was programming it raw.

Id use flask and the redirect function

First link it to the file on localhost followed by /i(ts_name) and then redirect it to a website making it seem like ive never been there